| शीर्षक | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal |
|---|
| विवरण | The server attempts to restrict file access to PROJECT_ROOT using is_safe_path, but relies on Path.absolute() parent membership checks. Because absolute() does not canonicalize .., crafted paths such as PROJECT_ROOT/../outside.txt can pass the parent check while resolving outside workspace boundaries in downstream file operations. This may enable out-of-workspace read/write access through MCP file tools. |
|---|
| स्रोत | ⚠️ https://github.com/54yyyu/code-mcp/issues/4 |
|---|
| उपयोगकर्ता | CPT_Penner (UID 97246) |
|---|
| सबमिशन | 18/04/2026 08:28 PM (2 महीनों पहले) |
|---|
| संयम | 04/05/2026 11:24 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 361071 [54yyyu code-mcp तक 4cfc4643541a110c906d93635b391bf7e357f4a8 MCP File src/code_mcp/server.py is_safe_path निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 20 |
|---|